The Good Hacker


BY CHRIS HIGGINS

As digital security breaches skyrocket, a cybersleuth everyman takes center stage.

Share this article!

BY CHRIS HIGGINS | PHOTOS BY SAM SCOTT

As digital crime skyrockets, a cybersleuth everyman takes center stage.

OBM Tripwire-2

Hot fingerprints: Ken Westin uses a thermal camera to ‘steal’ an elevator PIN pad number.

Ken Westin stands in a downtown Portland office elevator holding an iPhone with a chunky thermal camera on its back. He punches random numbers on the elevator PIN pad, then holds up the phone and snaps a picture. In the photo, bright yellow spots jump out on the numbers two, three and six, where his finger has left momentary heat traces. “That’s all it takes,” he says calmly.

Westin has just “stolen” an elevator PIN code. Theoretically, he says, thieves could use similar technology to swipe debit card PIN codes and clear out bank accounts, although it’s uncertain whether thermal cameras have actually been used for that purpose. But “it’s possible,” says Westin, who knows whereof he speaks, having tested the procedure on a variety of PIN pads around Portland.

The 39-year-old Westin is a senior security analyst at Tripwire, a Portland software firm that makes digital security and compliance products for businesses. He describes himself as a “cybercriminologist,” a technology geek who spends his days researching new cyber threats like stealing pin codes and the latest hacking methods.

{pullquote}Ken is one of those individuals who can live in two worlds.    {/pullquote}

Most people are aware that cyber crime costs individuals and businesses billions of dollars every year. The amount of money companies are shelling out to combat it continues to skyrocket. Worldwide spending on information security grew 7.9% in 2014, and will grow another 8.2% in 2015, reaching $76.9 billion, according to Gartner, a Stamford-based technology research firm. The International Data Corporation (IDC) estimates that global revenue for security and vulnerability management companies was $4 billion in 2013, with the average company’s annual growth rate at roughly 10%.

Tripwire is near the top of the pack. The company ranks among the top five SVM cybersecurity firms in the world, and is expanding in this sector faster than all but IBM, according to IDC. Tripwire revenue is currently growing at 20% year-over-year, booking $160 million in 2014. “We will end up being the next billion-dollar security company,” CEO Jim Johnson told Oregon Business in January. That same month, Tripwire was acquired by St. Louis-based Belden, a maker of networking products and cables. Post acquisition, Tripwire continues to operate independently and remains headquartered in Portland.

Westin is on the frontlines of this rapidly growing marketplace. Sporting half-rim glasses and a ready grin, he exudes an easygoing intelligence and makes frequent appearances on TV explaining digital crime to the masses. But he also works obsessively behind the scenes: using forensic tools to track down digital thieves and hacking into computer networks as part of security certifications. “Ken is an ace,” Johnson says, “He’s one of those individuals who can live in two worlds.”

Actually, Westin inhabits many worlds. Navigating an industry that is both a pop culture phenomenon (Sony hack, anyone?) and a critical operation for businesses, Westin is one of thousands of software developers who have reshaped downtown Portland in the past five years. In that sense, Westin is a cybersleuth everyman, emblematic of a new breed of tech worker, and the continued penetration of technology into all aspects of culture and economy, high and low.

“As security guys have more power within their organizations, they’re forced to grow up and start speaking the language of business.” Westin says. “You can’t just be in the basement and do your little hacks anymore.” Security professionals traverse darker boundaries, he says. “I met with a law enforcement official a while back who said there’s a fine line between cop and criminal. I can think like a criminal. I like understanding the mind of a hacker, but doing good with [that knowledge].”


BY CHRIS HIGGINS | PHOTOS BY SAM SCOTT

 

0515-goodhacker02 620pxw

More than $445 billion is lost to cybercrime every year, worldwide, according to the Center for Strategic and International Studies. The breaches keep coming: Anthem, Chipotle, Home Depot, JP Morgan Chase. Hundreds of thousands of malicious computer programs are reported every day.

Westin first got into the fast-growing digital crimefighting business in 2007, when he founded GadgetTrak, a Portland startup that tracked stolen devices using anti-theft software. He worked with local and national law enforcement to locate purloined smartphones and other mobile devices and uncover organized crime rings.

In one notable case, the company’s CameraTrace product located a Getty Images photographer’s camera equipment — valued at more than $9,000 — by digging through serial numbers embedded in photographs posted on photo sites including Flickr and Facebook. When the photographer punched his stolen camera’s serial number into the system, new photos from its current owner popped up, allowing him to locate the camera.

The work was tremendously rewarding — during his five years with the company, Westin also earned a patent for writing software that automatically tracks stolen storage devices like USB thumb drives, and has a second patent pending for a method to track (or remotely wipe) mobile devices like laptops. But after serving as both CEO and CTO, Westin eventually burned out. “Sometimes I wouldn’t sleep for days,” he says. He left GadgetTrak in 2012, seeking more stability for himself his wife and their ten-year-old son. The month Westin stepped down, he joined Tripwire.

It’s a sign of how far the Portland tech scene has progressed that Tripwire is now considered one of the city’s stodgier software firms, an established, first generation company in a sea of youthful, and trending, mobile app startups. Its history dates back to 1992, when co-founder Gene Kim released the first Tripwire program as a student at Purdue University. The program monitored a computer’s hard drive, noting any changes to files, at which point a virtual “tripwire” would be pulled, and a human administrator could investigate.

Almost 20 years later — the company was founded in 1997 — Tripwire applies the same tactics to two primary cybersecurity challenges: combatting attacks and remaining in compliance with laws and contractual obligations. If a Tripwire customer opts to use a “threat intelligence” service, when a vulnerability is detected, the threat is analyzed and other customers are protected automatically, like injecting a digital vaccine.

That proactive approach has helped make Tripwire an industry success story. “Today, the company has more than 9,000 customers: more than half of Fortune 500 companies, nine of the top ten utilities in the U.S. (PG&E, Chevron and Shell), eight of the top ten global retailers (iWalmart.com), and seven of the top ten global telecoms (Vodafone). Every major cabinet agency of the U.S. government, including the Senate and the Office of the President, are Tripwire customers.

 

0515-goodhacker05 620pxw

Federal climate change
budget 2014:

$11.6B

Federal cybercrime
budget 2014:

$13B 

 

It’s an enviable client list and fertile territory for an enterprising tech worker who has a global outlook and a fascination with true crime. As an undergraduate at Lewis and Clark College, Westin studied literature and East Asian studies, then earned a master’s in Internet systems development from the University of Portsmouth. That mixture of liberal arts and technical chops makes him a potent communicator and investigator, colleagues say.

“[Westin explains] cybersecurity for mere mortals,” says Dwayne Melançon, Tripwire’s CTO. Westin’s approachable style, Melançon says, helps “the average person understand not only what [the cybercrime threat] is at a high level, but why it matters.”

Straightforwardness has other virtues. “In security marketing, there’s a lot of B.S.,” says Westin. “You can sell that. But being truthful and up-front; that’s what’s important.”

One of roughly 30 security analysts in the research and development division, Westin occupies a unique position at Tripwire, which employs 440 people. Most of the other analysts develop technical content for products and work directly with customers. Westin is the first analyst to join the office of the CTO, which itself is a new department and reflects the company’s growing focus on research and product evangelism — showing how Tripwire’s software can be used in new ways. A big picture thinker, Westin ferrets out trends, seeking to understand what happens when businesses are breached and the methods behind the attacks. Then he figures out how Tripwire can protect customers before they’re hit.

“I call myself a ‘cybercriminologist’ because that’s what [my job] is,” Westin says. “It’s understanding the tools, the techniques, and more importantly the motivations behind these criminals. People say, ‘Hackers, they’re just trying to do bad things.’ Not necessarily. They’re trying to make money just like anyone else. It just happens that their moral compasses are sort of skewed.”

There are plenty
of other SVM
firms with offices
in Oregon: Intel
Security (formerly
McAfee), Symantec,
and Cisco. Fraud
prevention firms
Iovation and
SheerID are
headquartered
in Portland.

 

That kind of nonjudgmental appreciation of the criminal mind has a long tradition in the field of forensic detective work. Westin himself is an admirer of Edmond Locard, a forensic scientist who was known as “the Sherlock Holmes of France” in the early twentieth century. Locard founded a lab to study forensics and developed early techniques to compare fingerprints. He is best known for “Locard’s exchange principle,” an edict suggesting that a criminal who takes something always leaves something behind — the exchange.

In cybercrime too, “there are always traces [hackers] leave,” says Westin, who, to extend the Holmes analogy, is easily the Portland version of the famous detective. Westin plays guitar in an alternative rock band, has a black belt in Poekoelan, a combination of Chinese and Indonesian martial arts, and indulges, once or twice a week, in Clover coffee, brewed one cup at a time. Holmes, as fans of Sir Arthur Conan Doyle will recall, played violin and practiced the fictional self-defense method “Baritsu.” The Victorian sleuth’s drug of choice? Cocaine.

 

 

0515-goodhacker03 620pxw

Westin points to specialized servers he has set up to lure hackers. These “Honeypot networks” expose the source and method of the attack.

The global
cost of
narcotics
crime as a
percentage
of GDP:

0.9%

Global cost of
cybercrime:

0.8% 

The biggest difference between physical and cyber crime is that digital evidence might never be recorded if a computer system is not set up to capture it beforehand. So researchers have to think ahead, trying to see the future of attacks in order to monitor them.

Back in the elevator, Westin is doing just that. It’s easy to see how an elevator access pad can be a security risk: If a person punches in the code, an attacker standing by can steal that code and gain access to a private office. Westin and his colleagues have conducted similar tests cloning key cards that can offer one-touch access to private spaces. He has been tinkering with these experiments for months.

“Ken has to be a little obsessive,” remarks Bill James, a member of Westin’s band, Floating Pointe. But James attributes Westin’s career success at least in part to his right-brain interests. “There are computer-smart people who are geniuses, but if you try to put them in a team, they can’t function,” James says. “When you’re in a [musical] ensemble, you have to compromise and keep going.”

The material used for PIN pad buttons makes a difference, Westin says. Rubber retains heat from fingers; metal and hard plastic generally don’t. He hasn’t been able to grab a PIN from a smartphone screen and thinks glass is likely the best material for PIN pads.

As much a popularizer as tech guru, Westin plans to publish these findings so manufacturers and consumers become aware of the risk. As he often does following a high profile cyber attack, in March, he appeared on KOIN news to discuss the Premera Blue Cross security breach, one in a series of attacks to hit patient medical records. “I’m the one the media calls directly,” says Westin, whose friends have created a Facebook hashtag, #WorstCaseWestin, to joke about his many TV appearances bearing bad news for consumers. “If I had to talk about sports, I wouldn’t be comfortable,” Westin says. “When it’s about security, I enjoy it.”

His hobbies embrace a similar mix of security and pedagogy. Shortly after he joined Tripwire, Westin took a series of tests to earn his black belt in Poekoelan, which he had been studying for a decade. The defining moment came when he had to perform “the night walk,” a journey down a dark, wooded trail toward a fire, defending himself against 15 hidden attackers. He ended up with a black eye, a chipped tooth and a swollen jaw. But he succeeded, eventually becoming a Poekoelan instructor at the Tulen Center in southwest Portland.

“It’s always amazing to teach a kid to flip someone who is three times their size on their back,” says Westin. 

A bill under 
consideration 
in the Oregon 
Legislature would 
create a Cyber 
Center of 
Excellence. 
The center, 
to be located 
at an Oregon 
university, would 
improve the state’s 
technology 
education and 
coordinate with 
the growing 
cybersecurity 
industry for 
research and 
other projects. 

 

In March, Westin and one of his Tripwire colleagues, security engineer Irfahn Khimji, gave a talk at BSides, a security conference held in Vancouver, B.C. The presentation, titled “I Am the Insider Threat,” explained how employees can become cyber-threats to their own companies, usually when they get fired. Tripwire’s products are already being used to identify the risks associated with malicious employees, says Westin. Since anyone in a position like his could become a threat, monitoring is crucial. “Sometimes you have to rely on unorthodox ways of catching the insider,” Westin says.

If that sounds Big Brotherish, paranoia is a hazard of the job. Westin has designed an intense regimen to keep his own digital life secure: he installs few apps on his iPhone, stores little personal data on cloud services and only connects his phone to wifi at home. He replaces his credit and debit cards up to four times a year and describes credit cards as “promiscuous.” Why? Because they get around.

What is the next category of threats on Westin’s radar? He cites the ‘Internet of Things,’ smart gadgets installed in our homes, carried in our pockets, or strapped to our wrists. Westin worries less about the data on the devices than the master data set in the cloud, where a breach could expose a person’s location, health status or other personal information.

PIN code theft is just the tip of the iceberg in physical cybersecurity threats, says Westin, because it relies on an attacker being present during the attack. As industry connects utilities and other infrastructure to the Internet, hackers can cause real, physical damage from afar. The best-known example is Stuxnet, a sophisticated “cyberweapon” discovered in 2010 that destroyed hundreds of Iran’s uranium enrichment centrifuges. It’s not hard to extrapolate what could happen when hackers target Internet-connected power plants, nuclear or otherwise.

Melançon, Tripwire’s CTO, brings up a different kind of risk. He worries that hackers will meddle with farms, altering sensors that monitor food temperature and storage. This could cause bacteria to grow in food that the farm’s fooled sensors indicate is safe.

“It’s one thing to say, somebody attacks your bank and gets your bank account information,” Melançon says. “Woe is me, that’s horrible.’ In some cases, yeah, it is catastrophic, but in most cases it’s not. Whereas, somebody gets E. coli and dies, there’s no coming back from that.”


BY CHRIS HIGGINS | PHOTOS BY SAM SCOTT

 

0515-goodhacker04 620pxw

Tools of the trade. Some are used against an organization directly from outside the building. Others are implanted inside hardware or on the network.

Power plant attacks, retail security breaches, connected devices, E. coli— as Jun Li, an associate professor of computer and information science at the University of Oregon, observes: “Security now penetrates every sector.” Through its connection with parent company Belden, Tripwire is poised to take advantage.

{pullquote}People say: ‘Hackers, they’re just trying to do bad things.’ Not necessarily. They’re trying to make money just like anyone else.    {/pullquote}

The $710 million acquisition vaults the company into a new market, helping protect Belden’s industrial customers — including infrastructure like power plants, traffic control and water processing — from cybersecurity problems that have plagued retailers and tech companies for years. “The strategy is simple,” says Johnson. “Continue to be a leader in the commercial space. Leverage all of that technology into the industrial space through Belden, [which] understands how to sell to that world.”

Tripwire is also benefiting from a new corporate restructuring trend. After Target was hacked in 2013 and an estimated 70 million customers’ personal information stolen, the CEO resigned, the CIO was replaced, and a shareholder proxy firm recommended that most of the board be removed “for failure to provide sufficient risk oversight.”

Faced with this reality, many companies have created a new position: the Chief Information Security Officer, or CISO. Those CISOs are turning to Tripwire for help. Jeff Franklin, for example, CISO for the State of Iowa, adopted Tripwire technology in 2011 as part of his strategy to improve cybersecurity in state government.

 

The Internet 
economy 
generates 
between

$2 trillion

and

$3 trillion

annually.

Cybercrime 
cuts into that 
revenue by

15%

to

20%. 

CISOs reflect the mainstreaming of cybersecurity — and cybercrime. Once a pejorative referring to outcasts bent on destruction, hackers as white-collar professionals are now a hot commodity in business circles. Fighting cybercrime may sound like a Manichean battle between good and evil. But the job traverses decidedly gray territory, and Westin himself avoids talking about his work in black and white terms. “To dig into the underworld, to have visibility into things that not many other people can see or understand,” he says. “That’s what drives me.”

It also drives Tripwire — and Portland. In 2000, Tripwire became one of the first software companies to locate in the urban core; today, you can hardly walk a block downtown without stumbling across a software firm, filled with coders and engineers working on tech products most people can’t see or understand.

As those companies reshape the central city, Westin is already incubating a new generation. Last year, he took his son to “ToorCamp,” a five-day hackers camp and conference in Neah Bay, Washington: “Burning Man for nerds,” Westin calls it. The highlight, he says, was helping hook up a beehive to a computer music system, so the bees inadvertently made music entering and exiting the hive. (His son preferred trying out lock picks.)

Hacking, at its core, is about learning how today’s technology driven world works. Today, more and more people, in business, in the home and in the corporate ecosystem, want to find out. The vanguard of the global cybersecurity industry, Westin says, should be ready to respond. 

{jcomments on}